Docker

Cockpit can manage containers via Docker. This functionality is present in the Cockpit docker package.

Cockpit communicates with the Docker daemon via its API via the /var/run/docker.sock unix socket. The Docker API is root equivalent, and on a properly configured system, only root can access the Docker API. If the currently logged in user is not root then Cockpit will try to escalate the user's privileges via Polkit or sudo before connecting to the socket.

Alternatively one may create a docker unix group. Anyone in that docker group can then access the Docker API, and gain root privileges on the system. This impacts system security and is not recommended for general usage.

Similar container functionality is available on the command line via the docker tool:

$ sudo docker run -ti fedora /bin/bash
[root@57625bc8787e /]#